California Privacy Act Vs. The General Data Protection Regulation

Organizations across the globe are making their way back to the ‘war room’ to analyze the applicability of one of the most comprehensive data privacy laws sweeping the US, the California Consumer Privacy Act of 2018 (“CaCPA”) against their business processes. The CaCPA, approved on June 28, 2018, was designed to give consumers (i.e. Californians) control over the use, including the sale, of their personal information. This law conceptually has similar characteristics to the European Union’s data protection regulation, including its ability to be enforced on a global scale.

While both privacy acts share a similar intent, the CaCPA certainly has its own set of specific characteristics that sets it apart from its European counterpart, and although it appears that many of the general provisions appear to be borrowed from the GDPR and other global privacy practices, organizations will need to carefully evaluate the appropriateness of previously developed policies, procedures, or processes to meet California’s new privacy provisions.

In this article, we look at the new CaCPA in comparison to the EU General Data Protection Regulation (GDPR). The aim is to help identify certain similarities and differences between the two regulations to help organizations better strategize their effort in achieving compliance with both.

About the Author

Kevin Kish is a Privacy Technical Lead with Schellman & Company, LLC. Prior to joining Schellman, Kevin worked as a IT Compliance Manager, specializing in IT Security and Data Privacy compliance frameworks, including ISO 27001, HITRUST, Privacy Shield and the General Data Protection Regulation. As a Senior Associate with Schellman, Kevin is focused primarily on data protection laws for organizations across various industries.